Government Red Flag Audit

A government Red Flag audit is inevitable as the number of identity theft cases increases and affects more people and their credit worthiness as ever before. A government audit of a company’s identity theft prevention program as agreed by an interagency committee will cover three major aspects of the Red Flags Rule. These major Red Flags Rule compliance audit areas are:

1.       Identity theft red flags,

2.       Address discrepancies, and

3.       Changes of address.

The above three identity theft prevention areas will be audited using the following 15 audit procedures during any government Red Flag audit. Whether your company is audited by the FDIC, NCUA, FTC or any other regulatory body, the following audit procedures will be followed by the examiners to assess the completeness and effectiveness of your company’s Red Flags Rule program or identity theft prevention controls. Therefore, these audit procedures must be considered by all financial institutions and creditors to comply with the Identity Theft Red Flags Rule, which has been adopted and taken effect. Government risk management examiners are also instructed to test institutions for Red Flags regulation compliance as well as address discrepancy and change management during risk management audits.

Specifically, the government Red Flag audit guidelines require the following:

1.       Financial institutions and creditors to implement a written identity theft prevention program,

2.       Card issuers to assess the validity of change of address requests, and

3.       Users of consumer reports to verify the identity of the subject of a consumer report in the event of a notice of address discrepancy.

15 Government Red Flag Audit Procedures

Identity Theft Red Flags Audit Procedures

1. Covered Accounts -Government Red Flag audit examiners will verify that the institution periodically identifies covered accounts it offers or maintains. As part of this initial procedure in the examination, examiners will verify that the institution:

  • included accounts for personal, family and household purposes, that permit multiple payments or transactions;
  • conducted a risk assessment to identify any other accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution's previous experiences with identity theft.

2. Other Regulations - Examiners will review examination findings in other areas (e.g. Bank Secrecy Act, Customer Identification Program and Customer Information Security Program) to determine whether there are deficiencies adversely affecting the financial institution's ability to comply with the identity theft Red Flags Rules .

3. Management Oversight - Government auditors will review reports, such as audit reports and annual reports prepared by staff for the board of directors (or an appropriate committee thereof or a designated senior management employee) on compliance with the Red Flag Rules. These include reports that address:

  • Effectiveness of the institution's ID Theft prevention program,
  • Significant ID Theft incidents and management's response,
  • Oversight of service providers that perform activities related to covered accounts, and
  • Recommendations for material changes to the prevention program.

4. Comprehensive Program -Examiners will verify the financial institution has developed and implemented a comprehensive written Program that is designed to detect, prevent, and mitigate identity theft. The Program must be appropriate to the size and complexity of the financial institution and the nature and scope of its activities. Examiners also will determine whether the institution uses technology to detect red flags; whether the program is updated periodically; and that the board approved and oversees the program.

5. Trained Staff -Examiners will verify that the financial institution trains appropriate staff to effectively implement and administer the program.

6. Vendor Management -Examiners will determine whether the financial institution exercises appropriate and effective oversight of service providers that perform activities related to covered accounts.

When these procedures are complete, examiners will form a conclusion about whether the financial institution has developed and implemented an effective, comprehensive written program designed to detect, prevent and mitigate identity theft.

Address Discrepancy Audit Procedures


The regulation also requires users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a credit reporting agency. The government Red Flag audit procedures include five steps to assess address discrepancy compliance:

7. Recognition - Examiners will determine whether the user of consumer reports has policies and procedures to recognize notices of address discrepancies.

8. Reasonable Belief - Examiners will determine whether users have policies and procedures to form a reasonable belief that the consumer report relates to the consumer whose report was requested.

9. Accurate Address -Examiners will determine whether users have policies and procedures to furnish to the nationwide consumer reporting agency a consumer address that the users have reasonably determined is accurate.

10. Timing - Examiners will determine whether the users' policies and procedures require it to furnish the confirmed address as part of the information it regularly furnishes to the credit reporting agencies during the reporting period when it establishes a relationship with the consumer.

11. Sampling - If procedural weakness or risks are determined, examiners will obtain a sample of consumer reports requested by the user from a credit reporting agency regarding notices of address discrepancies to determine:

  • how the user established reasonable belief that the reports related to the consumer in question,
  • if the consumer relationship was established,
  • whether the institution furnished a consumer address that was reasonable confirmed, and
  • whether the user furnished the address in the appropriate reporting period.

Change of Address Audit Procedures


The regulation also requires institutions to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. Under these circumstances, the card issuer may not issue an additional or replacement card until the institution:

  • Notifies the cardholder of the address change request and provides the customer a communication means to report unauthorized address changes, 
  • Notifies the customer with a previously agreed upon means of communication, or
  • Assesses the validity of the change of address according to procedures established as part of the ID Theft prevention program,

A government Red Flag audit will include four steps to test change of address compliance:

12. Verification - Examiners will determine whether the card issuer has policies and procedures to assess the validity of a change of address.

13. Prevention - Examiners will determine whether policies and procedures prevent card issuers from issuing additional or replacement cards until they notify the cardholder or use other reasonable means to evaluate the validity of the address change.

14. Special Notice - Examiners will determine whether written or electronic notice is sent to cardholders to validate a change of address. This notice must be exclusive from any regular correspondence.

15. Sampling - If procedural weaknesses or risks are noted, examiners will obtain a sample of notifications from cardholders to ensure that card issuers complied with regulatory requirements to evaluate the validity of address changes before issuing cards.

Visit Identity Management Institute to learn more about government Red Flag audit training and professional certification.

Red Flags Rule

Compliance Audit

Identity Theft Courses